Microsoft Message Analyzer 1.4 has Released

Below is a list of the specific features and improvements in Message Analyzer v1.4.

Customization

· Profiles – often we have heard feedback such as: “When I open an IIS log, can’t you show me IIS related columns of data?”. The same question can be asked of many other file types that Message Analyzer supports, for example, .etw, .cap, .blg, .evtx, netlogon logs, and so on. Profiles solve this problem by defining Layout defaults based on the type of data you load. By using Tools->Options->Profiles, you can further customize the defaults of your working analysis environment for various input file types by creating your own Profiles. If you prefer to not use the Profiles feature, you can always unselect the Use Advanced Profiles check box shown in the Figure that follows.

Furthermore, all built-in Profiles are configured with a DefaultLayout for the Grouping viewer. This means that the Grouping viewer will automatically display the Default Layout whenever you load data from the input file type for which the Profile is configured, providing that the Profile is also configured to automatically open the Grouping viewer. In the case of the Chart viewer, the built-in Profiles are also configured with a Default chart Layout; however, you will need to manually select the Default layout item (see the Charts figure ahead) for the Chart viewer in the New Viewer drop-down list to display the Layout that is configured in the Profile, that is, after you load data from the specific input file type for which the Profile is configured. Note that you can configure your own default Layouts for these viewers in any new Profile that you create.

· Window Layouts – somewhat related to Profiles, Window Layouts quickly arrange Tool Window presets in various configurations to customize your working environment. With this feature, you can understand specialized tools by exploring each built-in Window Layout. The Simple Layout is a great place to start if you are a beginner. The Network Layout is perhaps the next step and is useful for viewing network stack information. The Advanced Layout exposes many features, such as the Compare Fields, Selection, and BookmarksTool Windows. Select one, customize it, and Message Analyzer will save your custom Layout when you exit the application.

· Charts – previously, Charts were a combination of visualizer components put together in one view. Now we’ve separated these components for consistency with our paradigm where each data viewer has its own set of Layouts. For charts, each Layout represents a single visualizer component that provides a top-level data summary or statistics based on a message type, fields, properties, and a pre-configured formula to cover a particular analysis scenario. If you miss the old charts, you can still display them from the Charts (Deprecated) drop-down list.

Improvements

· Filtering Toolbar – we heard your feedback that you want a filter bar at the top. We also realized that you got confused when there were multiple views of data, each with separate filters. To solve this, we have included a separate Filtering toolbar at the top of each viewer tab. For most views, the toolbar is opened by default with one blank filter. But you can use the Add Filter button on the Filtering toolbar to add one or more of various filter types that include a view Filter, Time Filter, and Viewpoint Filter, as shown in the Figure that follows.

· Process Name Improvements – in the previous Message Analyzer version 1.3.1, we added the ability to read process name information, that is, if the special Windows-Kernel-Trace provider was available. Now you can capture process names natively with Message Analyzer. Additionally, we support process name information in .cap files that were captured using Network Monitor and we also display the ICONs in the Grouping view, as shown in the Figure below.

Features

· Flat Message List – Message Analyzer reduces noise in a trace by automatically condensing the traffic so that fragmentation packets are hidden and requests and responses are grouped together in top-level Operation nodes. By clicking the Flat Message List button, you can change the mode to show you the raw traffic that is reorganized in the chronological order in which the messages were originally captured. Messages are still reassembled, but Operations are removed and the fragments are shown in their original sequence. This mode enables you to view traffic the way Network Monitor and other protocol analyzers display it, and can help you compare data to other tools in a way that is familiar to you.

· P-Mode – promiscuous mode is supported by many network Ethernet vendors. P-Mode enables Message Analyzer to see traffic that is not directly targeted to your machine. If you can configure your switch to forward packets from another machine, or perhaps all network traffic if you are brave and can handle that much traffic, you can enable this option in the Advanced Settings – Microsoft-Windows-NDIS-PacketCapture provider configuration dialog, which is accessible from the New Session dialog, as shown in the Figure below.

· Auto IP Address Resolution – this feature uses captured name resolution network traffic and translates it into friendly names. For instance, when a DNS request resolves 192.168.1.1 to MSN.COM, Message Analyzer will now use that friendly name in the UI instead of the IP address.

· Time Offset – Message Analyzer now provides a new Global Property called DeltaFromFirst, which enables you to measure the time offset from the beginning of a trace. You can add the DeltaFromFirst property as a new column in the Analysis Grid for viewing the time data, by using the Field Chooser, as shown in the Figure that follows.

· Decoded URLs – URLs can be encoded with escape characters that make them difficult to read. The Field Data Tool Window has been extended to show a decoded view, which is easier to read.

· Enhanced Bit-field Display – bit-fields are now displayed in the Details Tool Window such that that it is easier to understand where the bits are, and you can also view a description for each bit setting.

· Save as Binary – from the Message Data Tool Window, you now have the option to export any hex selection as Binary. For example, you can export data to save a PNG file, or extract some piece of information that you need to evaluate in other tools.

· WPP Symbol Configuration – WPP tracing is a method of instrumenting code to write events and provides information such as source code file name and line number. But this requires private symbols in order to parse events properly. Now by using Tools->Options, you can configure the location of TMFs or point directly to your PDB path through a dedicated UI. The latter option requires a local version of TracePDB, which you also need to reference if you choose that option.

· Trace Custom GUIDs – if a provider component doesn’t register with your system, you won’t find it in the System Provider list. Now Message Analyzer enables you to manually add a GUID for an ETW provider by using the Add Providers feature, as shown in the Figure that follows. Thereafter, the provider will be registered and Message Analyzer will remember it so that you can locate and select the provider quickly during session configuration.

· Drag and Drop – You can now drag and drop multiple files from File Explorer and aggregate their data into a single session. You can still use New Session->Files to filter your data down, or simply use the Edit Session button after you drag and drop, to change what data you import and analyze.

· Enhanced OPN Viewer – in the DetailsTool Window, you can right-click a field and select Go to <fieldname> Definition to display the field definition in OPN code. In this context, the OPN viewer has been updated to provide a better viewing experience. In addition, you can right-click a code entity such as a data type to display a context menu that enables you to search Microsoft documentation for more programmatic information about the particular entity that you selected in the OPN viewer, as shown in the Figure that follows.

· Updated Status – the status bar now provides a wait cursor that activates when Message Analyzer is busy processing or capturing data. Now, even if you don’t have the Session Explorer open, you are still notified when messages are being loaded, captured, or processed, as shown in the Figure that follows.